aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/kvm
diff options
context:
space:
mode:
authorAvi Kivity <avi@qumranet.com>2007-03-09 06:04:31 -0500
committerAvi Kivity <avi@qumranet.com>2007-03-18 04:49:09 -0400
commit27aba76615eeb36af84118e8ea6d35ffa51fd1e3 (patch)
tree8bd933f47eb91818c2e24cb10a4d820f0abea74e /drivers/kvm
parentac1b714e78c8f0b252f8d8872e6ce6f898a123b3 (diff)
KVM: MMU: Fix host memory corruption on i386 with >= 4GB ram
PAGE_MASK is an unsigned long, so using it to mask physical addresses on i386 (which are 64-bit wide) leads to truncation. This can result in page->private of unrelated memory pages being modified, with disasterous results. Fix by not using PAGE_MASK for physical addresses; instead calculate the correct value directly from PAGE_SIZE. Also fix a similar BUG_ON(). Acked-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Avi Kivity <avi@qumranet.com>
Diffstat (limited to 'drivers/kvm')
-rw-r--r--drivers/kvm/mmu.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/kvm/mmu.c b/drivers/kvm/mmu.c
index 2cb48937be4..e85b4c7c36f 100644
--- a/drivers/kvm/mmu.c
+++ b/drivers/kvm/mmu.c
@@ -131,7 +131,7 @@ static int dbg = 1;
131 (((address) >> PT32_LEVEL_SHIFT(level)) & ((1 << PT32_LEVEL_BITS) - 1)) 131 (((address) >> PT32_LEVEL_SHIFT(level)) & ((1 << PT32_LEVEL_BITS) - 1))
132 132
133 133
134#define PT64_BASE_ADDR_MASK (((1ULL << 52) - 1) & PAGE_MASK) 134#define PT64_BASE_ADDR_MASK (((1ULL << 52) - 1) & ~(u64)(PAGE_SIZE-1))
135#define PT64_DIR_BASE_ADDR_MASK \ 135#define PT64_DIR_BASE_ADDR_MASK \
136 (PT64_BASE_ADDR_MASK & ~((1ULL << (PAGE_SHIFT + PT64_LEVEL_BITS)) - 1)) 136 (PT64_BASE_ADDR_MASK & ~((1ULL << (PAGE_SHIFT + PT64_LEVEL_BITS)) - 1))
137 137
@@ -406,8 +406,8 @@ static void rmap_write_protect(struct kvm_vcpu *vcpu, u64 gfn)
406 spte = desc->shadow_ptes[0]; 406 spte = desc->shadow_ptes[0];
407 } 407 }
408 BUG_ON(!spte); 408 BUG_ON(!spte);
409 BUG_ON((*spte & PT64_BASE_ADDR_MASK) != 409 BUG_ON((*spte & PT64_BASE_ADDR_MASK) >> PAGE_SHIFT
410 page_to_pfn(page) << PAGE_SHIFT); 410 != page_to_pfn(page));
411 BUG_ON(!(*spte & PT_PRESENT_MASK)); 411 BUG_ON(!(*spte & PT_PRESENT_MASK));
412 BUG_ON(!(*spte & PT_WRITABLE_MASK)); 412 BUG_ON(!(*spte & PT_WRITABLE_MASK));
413 rmap_printk("rmap_write_protect: spte %p %llx\n", spte, *spte); 413 rmap_printk("rmap_write_protect: spte %p %llx\n", spte, *spte);